Popular Chrome Ad Blocker Faked, 30k Users Infected With Malware

“Fool me once, shame on you. Fool me twice, shame on me,” as the saying goes. Unfortunately, Google has now been fooled by the same trick twice.

For the second time in recent years, Google has allowed a malicious variant of the popular extension “AdBlock Plus” onto its Chrome Web Store. It was noticed by a security researcher going by the alias “SwiftOnSecurity.” Before Google removed it, it had been installed more than 37,000 times by unsuspecting users.

This incident underscores a serious flaw in the way that Chrome extensions are uploaded to the Web Store.

The entire process is automated, and Google only intervenes if an extension is reported as being problematic. Unfortunately, given the automated nature of the process, it’s almost frighteningly easy to abuse, and since there are no significant checks on the front end, hackers can upload extensions bearing the same or highly similar names as extensions from legitimate developers. Unless a user clicks on the “reviews” tab to read what other users are saying about the extension, at first glance, they’d have no real way of knowing that there was a problem until they started experiencing it for themselves.

As mentioned, this is actually the second time this very extension was abused, the first being back in 2015.

As malware goes, this one is annoying, but not awful. Instead of blocking ads, it has a tendency to open multiple new windows, displaying a torrent of unwanted advertising. Fortunately, there don’t seem to be any other “hooks” built into the code, so it doesn’t install more destructive malware, but it’s still annoying.

All that to say, if you’ve been experiencing a sudden flurry of advertising popups, you may have been one of the unlucky few to have grabbed a malicious variant of an otherwise excellent web extension. If you have, just uninstall it and go grab a new copy, and you should be all set.